ensuring security the way how we do it

Similar documents
Application Security Testing

Where every interaction matters.

05.0 Application Development

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Sample Report. Security Test Plan. Prepared by Security Innovation

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

SCOPING QUESTIONNAIRE FOR PENETRATION TESTING

CompTIA Security+ (Exam SY0-410)

Microsoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

CONTENTS. PCI DSS Compliance Guide

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

How To Perform An External Security Vulnerability Assessment Of An External Computer System

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Security and Vulnerability Testing How critical it is?

Medical Device Security Health Group Digital Output

Making your web application. White paper - August secure

SOFTARE SECURTY OF WEB APPLICATION AND WEB ATTACKS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

Learn Ethical Hacking, Become a Pentester

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Columbia University Web Security Standards and Practices. Objective and Scope

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

WHITEPAPER. Nessus Exploit Integration

Using Nessus In Web Application Vulnerability Assessments

Cloud Security:Threats & Mitgations

Overview of the Penetration Test Implementation and Service. Peter Kanters

QuickBooks Online: Security & Infrastructure

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Course Title: Penetration Testing: Network Threat Testing, 1st Edition

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Penetration Testing. Presented by

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

white SECURITY TESTING WHITE PAPER

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

External Supplier Control Requirements

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Attack Vector Detail Report Atlassian

DEVELOPING SECURE SOFTWARE

Web application security: automated scanning versus manual penetration testing.

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

SiteLock. Internet Security: Big Threats for Small Business. Presented by: Neill Feather, President

How Companies Can Improve Website & Web Application Security. Even with a Tight IT Budget

The Security Development Lifecycle

locuz.com Professional Services Security Audit Services

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Table of Contents. Page 2/13

Web Application Penetration Testing

SAFECode Security Development Lifecycle (SDL)

ISSECO Syllabus Public Version v1.0

Securing SharePoint (TRISC) March 24 th, 2009

New IBM Security Scanning Software Protects Businesses From Hackers

Web App Security Audit Services

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Secure Web Applications. The front line defense

Data Security Incident Response Plan. [Insert Organization Name]

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Pentests more than just using the proper tools

Pentests more than just using the proper tools

Bitrix Software Security. Powerful content management with advanced security features

Cloud Application Security Assessment, Guerrilla Style

Adobe Systems Incorporated

5 Tools For Passing a

IJMIE Volume 2, Issue 9 ISSN:

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Simple Steps to Securing Your SSL VPN

Testing for Security

PKF Avant Edge. Penetration Testing. Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP

Application Code Development Standards

Successful Strategies for QA- Based Security Testing

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

SERENA SOFTWARE Serena Service Manager Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Web application testing

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Integrigy Corporate Overview

Network Test Labs (NTL) Software Testing Services for igaming

Passing PCI Compliance How to Address the Application Security Mandates

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Web Application Report

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Guidelines for Web applications protection with dedicated Web Application Firewall

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Transcription:

ensuring security the way how we do it HUSTEF, 2015.11.18 Attila Tóth 1 Nokia Solutions and Networks 2014

Disclaimer The ideas, processes, tools are presented from a practitioner s point of view working on a specific Nokia product. This presentation aims to give an insight, but does not attempt to reach detailed and full coverage valid for all Nokia products. 2 Nokia Solutions and Networks 2014 <Change information classification in footer>

Basic principles Confidentiality: no information disclosure to 3rd party Integrity: information / data / piece of code has not been manipulated or altered Authentication: ensuring that parties involved are those who they claim to be Availability: service / data is available when required Authorization: parties have the authority to perform the action Non-repudiation: when sending data / message, the party cannot claim later that it was not him who sent it 3 Nokia Solutions and Networks 2014

Dynamic testing 4 Nokia Solutions and Networks 2014

Threat and risk Threat analysis and risk analysis Organized as a workshop and documented People involved: software and test architects, lead testers and developers, product management We are looking for the answers for the following questions: What are the assets that we need to protect? Who are the potential attackers? What are the potential attack scenarios? What are the likelihood of these attacks? What is the impact? 5 Nokia Solutions and Networks 2014What can we do to reduce the likelihood or impact?

Threat and risk analysis Privacy assessment Privacy risk assessment Privacy sensitive data: anything that can be used to track and identify a certain individual can potentially be used for abusing privacy rights. Assess each piece of data generated / processed / stored 6 Nokia Solutions and Networks 2014

Threat and risk analysis Privacy assessment Feature documentation review Feature documentation review Check the design before implementation Check whether product meets customer security requirements 7 Nokia Solutions and Networks 2014

Threat and risk analysis Privacy assessment Feature documentation review Code reviews, static analysis 8 Nokia Solutions and Networks 2014 Code review, static analysis Check code created Check adherence to secure coding guidelines Should spot things like: Buffer overflow Goto fail Create your checklist e.g.: Correct cipher? Correct key size? Proper random number? Sensitive information revealed, logged or leaked? Any weak points?

Threat and risk analysis Privacy assessment Feature documentation review Code reviews, static analysis Vulnerability notification Vulnerability notification Follow up on new vulnerabilities found in 3rd party software, e.g. http://cve.mitre.org/ http://osvdb.org/ Security bulletins of vendors Mailing lists Apply security patches proactively 9 Nokia Solutions and Networks 2014

Threat and risk analysis Privacy assessment Feature documentation review Code reviews, static analysis Vulnerability notification Statement of security compliancy Statement of security compliancy Create a list of security base requirements that all products shall meet Measure the compliancy on each release The compliancy score should not decrease 10 Nokia Solutions and Networks 2014

Discovery test & Port scanning Threat To cross and check risk analysis target IP Privacy addresses assessment Feature To verify documentation in-host firewall review and running services on the SUT Code Should reviews, match static documentation analysis Vulnerability Tooling e.g.: notification Statement nmap (open of security source) compliancy Dynamic testing Discovery test & Port scanning 11 Nokia Solutions and Networks 2014

Vulnerability scanning Threat To verify and whether risk analysis vulnerability Privacy notification assessment and patching works Scan installed software for Feature documentation review known vulnerable versions Code Tooling reviews, e.g.: static analysis Vulnerability OpenVas notification (open source) Statement of security compliancy Dynamic testing Discovery test & Port scanning Vulnerability scanning 12 Nokia Solutions and Networks 2014

Robustness testing (Fuzzing) Threat To stress and test risk the analysis external Privacy interfaces assessment with invalid traffic and Feature observe documentation any crashes review Tooling e.g.: Code Sulley reviews, (open static source), analysis Vulnerability Peach (community notificationedition) Statement of security compliancy Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) 13 Nokia Solutions and Networks 2014

Web Static app testing / database testing To Threat test and the web risk analysis application for Privacy SQL assessment injection Cross Site Scripting (XSS) Feature documentation review Cross Site Request Forgery Code (CSRF) reviews, static analysis Vulnerability notification Tooling Statement e.g.: of security compliancy mitmproxy (opensource) Fiddler (free) w3af (open source) Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) Web app / database testing 14 Nokia Solutions and Networks 2014

Penetration / exploratory testing Threat To work and like risk a hacker analysis and break Privacy into the assessment system Feature To try scenarios, documentation learn how review the system works, try different Code scenarios, reviews, repeat. static analysis Vulnerability Tooling e.g.: notification Statement Kali Linux of security (open source) compliancy Anything Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) Web app / database testing Penetration / exploratory testing 15 Nokia Solutions and Networks 2014

Static DoS testing testing Threat To verify and behavior risk analysis under Privacy overload assessment situation Tooling e.g.: Feature documentation review Performance verification Code test reviews, tool static analysis Vulnerability notification Statement of security compliancy Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) Web app / database testing Penetration / exploratory testing DoS testing 16 Nokia Solutions and Networks 2014

Dynamic testing Threat and risk analysis Discovery test & Port scanning Security audit Privacy assessment Vulnerability scanning To verify from external point of view Feature documentation Conducted by review 3rd party Robustness testing (Fuzzing) Code reviews, static analysis Web app / database testing Vulnerability notification Penetration / exploratory testing Statement of security compliancy DoS testing Security audit 17 Nokia Solutions and Networks 2014

Threat and risk analysis Privacy assessment Feature documentation review Code reviews, static analysis Vulnerability notification Statement of security compliancy Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) Web app / database testing Penetration / exploratory testing DoS testing Security audit 18 Nokia Solutions and Networks 2014

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information